Errors from Linux after disabling RC4 on domain controllers
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous
We have been trying to eliminate RC4 from our environment. We've set all user accounts to use AES and set all of our Windows servers to 24 for the value of msDS-SupportedEncryptionTypes, which is AES only. This past weekend we disabled RC4 on our domain controllers and immediately started getting errors in the system event logs for Linux servers. The event ID is Event 27, Kerberos-Key-Distribution-Center. Here is an example but there were lots of these...
Also, users were not able to log on to these servers. I've determined that all of the Linux servers that generated this error have their msDS-SupportedEncryptionTypes set to either 31 or 524316. I am thinking the resolution is to set that attribute to 24 as we did with Windows servers but I was hoping someone could confirm this.
If not, is there something else we need to do to resolve this before attempting the change on the domain controllers again?
Thanks
Windows for business | Windows Client for IT Pros | Directory services | Active Directory
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 6%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETM%3C/text%3E%3C/svg%3E)
Tony Massa 0 Reputation points2023-10-06T04:39:40.6966667+00:00 I've got a linux computer that is using SSSD for kerberos authentication (msDs-SupportedEncryptionTypes=31, currently) that generates this event, but has different "missing key" (ID of 2). It later was able to obtain a kerberos ticket, so maybe they are trying multiple types/values. We still support RC4 for the time being and the service was krbtgt. You should absolutely try to change the setting to "24" since your DCs only support AES...and then try to find out which KRB libraries are being used to see if there are any compatibility issues. It could be the krb5.conf file configuration they're using.
Update: We disabled RC4 completely and the Linux devices with msDs-SupportedEncryptionTypes=31 are still getting AES tickets. It's got to be their configured SSSD or krb5.conf configuration. The requested eTypes=23 must mean they are only configured for RC4 since they didn't ask for 17 or 18 also. The computer objects are fine...it's the local host configs that need to be updated: SSSD or krb5.conf config. Example config to support 23 17 18 eTypes:
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac
Sign in to comment
Sign in to answer